Overview
Your security team has recommended enforcing TLS 1.2 or 1.3 on your Lyris LM server(s) and you would like to know if this is possible and how to implement it. Note that this works for HTTPS only.
Solution
We have developed an easier alternative to the Nginx setup explained below - the Enforcing TLS 1.2 or 1.3 in Lyris LM using Stunnel article.
ListManager has certain limitations when it comes to web traffic over TLS. If you want to force TLS 1.2 or higher you will need to implement a reverse proxy externally to ListManager. Review the information below to familiarize yourself with this type of implementation before utilizing the PDF instructions at the end of this article.
What is the reverse proxy?
A reverse proxy server is a type of proxy server that typically sits behind the firewall in a private network and directs client requests to the appropriate backend server. A reverse proxy provides an additional level of abstraction and control to ensure the smooth flow of network traffic between clients and servers, including security, availability, performance, and traffic shaping.
Why do we need it?
The ListManager web server is not able to get an "A" rate on SSL Test Rating which is due to the fact that ListManager doesn't support strong/new ciphers for TLS encrypted connections (HTTPS/SSL). This inability to handle secure TLS/SSL connections is caused by an incomplete HTTP/HTTPS server implementation provided by ActiveTCL 1.4/1.5 and OpenSSL 1.0.2u.
How does it work?
The diagram below illustrates how it will work in front of the current LM web server, forcing all HTTP traffic to be redirected to HTTPS and using just the LM HTTP implementation to avoid over-heading and improve performance. It will also use all new and well secured TLSv1.2 or TLSv1.3 (depending on your implementation) ciphers to provide an "A" rate on SSL implementation.
It will be implemented by an Nginx instance listening on HTTP (TCP 80) and HTTPS (TCP 443) ports all the internet requests and then mediating all connections to LM HTTP server (TCP 8080 - if they are running on the same server).
Testing
After implementing the nginx reverse proxy you are able to receive an "A" rating.